How safe is your site?

The news that American banking giant JP Morgan Chase had been hit by one of the biggest cyber attacks in corporate history, affecting 76 million households and seven million small businesses, sent shivers through the financial services industry.

Such was the severity and importance of the attack that the bank issued a statement to the Securities & Exchange Commission confirming that user contact information, comprising names, addresses, phone number and email addresses, had been compromised, although there was no evidence that account information had been similarly affected.

However, the admission by JP Morgan Chase’s chief executive Jamie Dimon that it is impossible to guarantee total protection from losses caused by data breaches has propelled cyber security to the top of the reputational risk list.

Dimon, while revealing that JP Morgan Chase plans to double spending on cyber security safeguards over the next four to five years, added: ‘We don’t want to be sitting here saying you will absolutely be protected because it would put you in a false sense of security.’

There is no ‘absolute’, he cautioned, adding that the bank faces ‘relentless, constant and evolving waves’ of cyber attacks on its systems.

But JP Morgan Chase is not alone. The fifth annual Cost of Cyber Crime Study, conducted by the Ponemon Institute in association with HP Enterprise Security, suggests that the average company is now compromised every four days at a cost to the business of between $1.6 million (£1 million) and $61 million (£38 million) a year. And for some companies, the cost is even greater.

Last December, American retailer Target conceded that it had been the subject of a cyber attack after security blogger Brian Krebs reported the breach. After initially reporting that 40 million credit and debit card accounts had been attacked, Target later confirmed that the personal information of at least 70 million customers, including telephone numbers and mailing addresses, had also been compromised.

The retailer mounted a major PR campaign in the wake of the attack, including full page newspaper advertisements dedicated to addressing the breach, and a bespoke microsite. But six months later, its chief executive and chairman Gregg Steinhafel stepped down after a 35-year career at Target, conceding that the events had ‘tested’ the business in ‘unprecedented ways’. And more recently, Target reported a 62 per cent drop in second quarter profits, partly as a result of the cyber attack.

‘It’s one thing losing information but then there’s the compounding effect that turns it into a crisis,’ says David Prince, delivery director of information security at Schillings. Such a ‘compounding effect’ can stretch from media interest, the impact on customers and clients, including the cost of any fraudulent activity on their accounts, to any fines that may be levied as a consequence of breaching data protection legislation.

‘[Data breaches] can have such a significant impact on reputation. And when you suffer reputation damage, it can be incredibly difficult to recover and regain stakeholder and client confidence,’ says Prince.

MOUNTING ATTACKS

But despite the high profile nature of Target’s attack, other retailers have been unable to prevent similar breaches. In May, eBay revealed that as many as 145 million user records had been accessed by hackers, who stole personal information including encrypted passwords, names, addresses and telephone numbers – all of which could be used as a basis for identity fraud or even to help unlock financial accounts.

Similarly, last month Home Depot announced that 56 million customer debit and credit cards were at risk after hackers broke into its payment systems.

eBay requested that users changed their passwords as a precaution while Home Depot removed the malicious software from its systems, but both have since been criticised for their slow response to the incidents. The attack on eBay happened in February or March, weeks before they informed customers, while it took Home Depot five months to detect the breach.

It is now facing class-action law suits, which allege that the retailer failed to protect personal information and did not warn consumers about the breach in a timely manner. Yet the Ponemon Institute’s report revealed that it takes companies 170 days, on average, to detect a malicious or criminal attack.

But it also appears that the attack on eBay was not an isolated one. A recent BBC investigation uncovered an unrelated breach in which hackers had been using cross-site scripting to inject malicious content into the site and harvest eBay users of personal data. The BBC alleged that eBay has known about this phishing scam since February, but has failed to do anything about it.

From eBay’s perspective, however, it’s not so simple. ‘Cross-site scripting, carried out by malicious individuals, is an issue affecting sites across the Internet,’ says Clare Moore-Bridger, head of communications at eBay. ‘The criminals behind cross-site scripting and phishing activity intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems.’

The retailer claims to have a range of security features designed to detect and then remove listings containing malicious code, as well as, Moore-Bridger says, hundreds of engineers, security and fraud specialists ‘working around the clock to detect and take action against security issues’. It is down to such efforts, she adds, that the company is able to guarantee as much as $55 billion (£34 billion) in annual purchases – as part of its eBay Money Back Guarantee programme.

Sophisticated though it sounds, however, it must be a concern to retailers and customers alike that even these substantial efforts do not appear to be sufficient to either thwart these attacks or stop the bad press. But, as Art

Gilliland, senior vice president and general manager, enterprise security products at HP, points out: ‘Adversaries only need to be successful once to gain access to your data, while their targets must be successful every time to stop the barrage of attacks their organisations face every day.’

FACING UP TO THREATS

‘Threats come from a number of different sources,’ explains Ken Allan, global leader, information security at Ernst & Young (EY). ‘So there are the insider threats simplified into malicious and accidental – and they’ve always been there. But we see external threats – cyber criminals and nation states – as growing and almost overtaking insider threats for the first time this year.’ With the proliferation of mobile and cloud technology, this risk is only heightened. ‘These technology components are broadening the attack surface so there’s more to aim at,’ says Allan.

In this fast-paced environment, it may be that businesses are struggling to keep up. ‘Many companies are operating in a more digital way than they realise,’ says Richard Horne, cyber security partner at PwC.

‘They are much more connected. Companies are no longer fortress organisations. They are reliant on partners, suppliers, data transfers from other companies, and so on. The problem is they don’t realise how vulnerable they are.’

For Schillings’ Prince, the solution starts with accepting that this isn’t merely a technology issue but a critical reputation management one. ‘Quite often information security (IS) is tagged under IT and that means it’s operating in the deepest darkest corner of the business and in a different way to the organisation around it,’ he says. ‘But this is a business issue and it demands a business response. It starts with the board.’ Not surprisingly, when reputation is at stake, Prince believes communication is critical.

‘Corporate communicators are not nearly involved as much as they should be,’ he says. ‘They are incredibly important business stakeholders and they need to become more responsible for helping to protect information and business reputation.’

Schillings runs crisis simulations to help clients understand the intricacies of responding to a data breach. These bring together corporate communications with board members, the CIS officer, general counsel, IT and human resources. ‘We basically go through a live scenario, because the best way to prepare for a data breach is to actually have one,’ says Prince.

Getting corporate communications involved in cyber security makes sense both on an internal and external level. One of the major threats, for instance, still comes from insiders, including current and former employees. For example, the eBay data breach used employee log-in credentials. But despite this, a recent PwC Global State of Information Security report, which surveyed nearly 10,000 executives based globally, found that 29 per cent do not know of a senior executive who proactively communicates the importance of information security, a figure that is up from last year. ‘A secure organisation is one that can engage its people in a creative and constant way that enables them to handle information securely,’ says Prince.

But companies need also to prepare external crises scenarios for when information about a data breach becomes public. ‘Accept that you are going to suffer a significant breach at some point,’ says Allan. ‘How will you deal with the press, customers/clients, reputational fall out, big contracts that are a work in progress?’

Mark Seifert, partner at Brunswick Group, has seen an increase in corporate communications professionals seeking guidance on responding to data breaches. ‘In the US, and in the UK, businesses have figured out the importance of cyber security – we’ve seen an uptick in cyber security insurance and you know something’s arrived when that happens,’ he says.

But he argues that the great challenge for corporate communicators is that breaches can take time to detect and then the scope of the attack may not initially be clear. ‘When you discover a data breach, you don’t know the extent of the damage,’ he says. ‘The forensics of this, figuring out what has happened, takes time. But meanwhile you have to figure out how to communicate confidently and honestly, without trying to fill in the gaps – because things will inevitably change from day one of the discovery.’

CHALLENGING THE RULES OF COMMUNICATION

The situation becomes more complex when organisations deliberately prolong the attack in an attempt to gather more critical information. EY worked with one organisation, for instance, where the breach went on for several months.

‘The transactional losses were quite small so we let it run and discovered it was an intelligence breach. So we were able to create a kind of virtual environment ‘honey trap’, which the hackers thought was the real thing they were meant to be going for,’ says Allan. ‘If you take the approach that you’re going to let it run, it does carry a potentially higher risk. You have to think Am I justified in doing this? Could we explain why we took this course?’

Such considerations are further complicated by legislation. Organisations must inform regulators of a data breach, but only at the right time. ‘If you go to the regulators too soon without enough information you could amplify the whole situation and find they come in and audit you,’ explains Prince. Cyber security therefore appears to question the rules of traditional crisis communications, including the speed of response.

Even using communication to boast of your sophisticated security measures as a means to boost reputation and gain competitive advantage incurs risk. ‘You want to be able to tell customers that their information is safe in your hands, but you need to do so without goading hackers,’ says Allan.

Facing considerable challenges, many organisations may be forgiven for feeling somewhat paralysed by cyber security threats. But EY’s latest security survey suggests that businesses typically fall into one of three levels:

1. Those that have the basics in place;

2. Those thinking about the issues they face and how they can try and get ahead;

3. Those that are doing more than that.

Most businesses, Allan says, are at level two. With threats only rising, it will be critical for organisations to move to a more proactive phase of preparing for and responding to myriad cyber threats. This may be far from easy but a first vital step must be to take information protection out of the sole domain of the IT/IS department and make it a business-wide priority.

As more businesses do so, it will become even more apparent that corporate communications must take a leading role. Cyber security is not merely about technology. In a world of evermore devastating cyber attacks, it will be communications that man the defences of an organisation’s reputation.

WHO IS RESPONSIBLE FOR DATA BREACHES?

Debate continues as to who should be held ultimately responsible for data breaches in the retail sector– retailers, financial service organisations or the card issuers behind the transactions, or even online shoppers who may not safeguard their own account information.

‘Trust is a job bigger than just one entity,’ says Clare Moore Bridger, head of communications at eBay. ‘It’s a shared responsibility among all parties that use online systems – businesses, individuals and law enforcement. We must all work together to keep online commerce safe and secure.’

But consumers, it seems, are not so even-handed. The majority hold retailers responsible, second only to the criminals perpetrating the attack, according to a recent survey of US consumers conducted by Brunswick Group.

Highlights of the survey, conducted earlier in 2014, include:

• Ninety-four per cent of consumers surveyed are concerned about retail data breaches.

• Consumers are nearly as likely to hold retailers responsible for data breaches (61 per cent) as the criminals themselves (79 per cent). Only 34 per cent blame the banks that issue debit and credit cards.

• Seventy-five per cent believe that retailers are not doing enough to prevent infiltrations into their customer data and payment systems.

• Seventy percent of respondents believe that retailers should be held financially responsible for consumer losses that result from a breach; not banks or card issuers.

• Finally, 34 per cent of those surveyed report that they no longer shop at a specific retailer due to a past data breach issue.

For online retailers, this will be a salutary reminder of the importance of cyber security and the need to put in place a communications plan for when inevitable data breaches occur.